Skip to main content

Manage cnspec Providers

cnspec can assess the security of dozens of different platforms, from AWS to Windows hosts. Providers are the components of cnspec that allow it to evaluate specific platforms. When you download and install cnspec, you don't download or install any providers. Instead, when you run a cnspec command, cnspec automatically downloads and installs the provider(s) you need. This approach saves you download time, memory, and disk space. Each time you use cnspec, it ensures that you have the latest version of the necessary provider(s).

For example, suppose you download cnspec and install it on a Linux workstation. There are no providers installed on the workstation. When you run cnspec scan to assess local security, cnspec checks and finds that the provider it needs, the operating systems (os) provider isn't present. cnspec automatically downloads and installs the os provider and then runs the scan. The os provider remains on your workstation for the next time you use cnspec for your operating system.

Continuing the example, suppose you then run cnspec shell aws to run some checks against your AWS account settings. cnspec downloads and installs the aws provider and opens the shell. The aws provider remains on your workstation for the next time you use cnspec for AWS.

Most users don't need to think about providers. cnspec manages them for you. However, there are some situations where you might want to manage providers yourself:

  • Containers

  • Read-only mode

  • Air-gapped environments

Provider considerations for containers

By default, when you spin up a container with cnspec installed and run any cnspec command, cnspec retrieves the latest version of the providers it needs. When the container is destroyed, the providers are destroyed. Therefore, the next time you spin up a container based on the same image, the download and installation repeat.

You can eliminate the unnecessary processing by:

Provider considerations for read-only mode

Some security situations dictate that cnspec must not be allowed to write to the machine on which it's installed. cnspec does operate in read-only mode, however, it can't download and install the providers it needs. Therefore, when you install cnspec on a machine on which cnspec won't have write access, you must also install the provider. To learn how, read Install, update, and remove providers below.

note

If you install cnspec in an environment where it can't automatically update providers, you're responsible for installing provider updates.

To prevent error messages from displaying when you run commands in read-only mode, turn off provider auto-update. To learn how, read Turn off provider auto-update below.

Provider considerations air-gapped environments

In an air-gapped environment, cnspec can't download the providers needed to scan or test the system. Therefore, when you install cnspec to an air-gapped machine, you must also install the provider. To learn how, read Install, update, and remove providers below.

note

If you install cnspec in an air-gapped environment, you're responsible for installing provider updates.

To prevent error messages from displaying when you run commands, turn off provider auto-update.

Turn off provider auto-update

By default, each time you run a cnspec command, cnspec downloads and installs the latest version of the provider needed to execute the command (unless the latest version of the provider is already installed). You can change this behavior by disabling auto-update for cnspec.

If you disable auto-update, cnspec doesn't check whether the latest version of the necessary provider is installed. It uses the version of the necessary provider that is currently installed. If the provider isn't installed, the command fails.

Turn off provider auto-update for all cnspec commands and Mondoo scans

To never automatically update providers, set the auto-update value in the cnspec configuration file to false.

On a Linux or macOS host, cnspec configuration is stored in one of these locations:

  • /etc/opt/mondoo/mondoo.yml configures cnspec for all user accounts.

  • ~/.config/mondoo/mondoo.yml configures cnspec for a single user.

On a Windows host, cnspec configuration is stored in one of these locations:

  • C:\ProgramData\mondoo\mondoo.yml configures cnspec for all users.

  • C:\Users\{username}\.config\mondoo\mondoo.yml configures cnspec for a single user.

To configure cnspec to never update providers, set the configuration:

auto-update: false
note

If you disable auto-update, be sure to check regularly for new versions of providers. To learn more, read Install, update, and remove providers below.

Turn provider auto-update on or off for a single cnspec command

To skip checking for, downloading, and installing the latest provider just once (for a single cnspec command), add the '--auto-update=false' flag to the command. For example, this scans the local machine without updating to the latest provider:

cnspec scan --auto-update=false

The command line flag overrides the mondoo.yml config file setting.

Install, update, and remove providers

You can download the latest versions of providers at https://releases.mondoo.com/providers/. Past versions are always available at the same location.

These are the available cnspec providers:

ProviderTarget
ansibleAnsible IaC code
aristaArista network devices
atlassianAtlassian Cloud
awsAmazon Web Services
azureMicrosoft Azure
cloudformationAWS CloudFormation
equinixEquinix Metal
gcpGoogle Cloud
githubGitHub
gitlabGitLab
google-workspaceGoogle Workspace
ipmiIntelligent Platform Management Interface
k8sKubernetes
ms365Microsoft 365
networkHosts
ociOracle Cloud Infrastructure
oktaOkta
opcuaOPC Unified Architecture
osOperating systems
shodanShodan Search Engine
slackSlack
snowflakeSnowflake
terraformHashiCorp Terraform IaC code
vcdVMware Cloud Director
vsphereVMware vSphere

To learn what providers are installed, run:

cnspec providers

For help on the providers subcommand, run:

cnspec providers -h

Manually install a provider

To install a provider, run:

cnspec providers install NAME

For NAME, substitute the provider name (as shown in the table above). For example:

cnspec providers install k8s

For help on manual provider installation, run:

cnquery providers install -h

To install a provider from a file, run:

cnspec providers install -f PATH

For PATH, substitute the path and name of the provider file. For example:

cnspec providers install -f providers/os/dist/os.tar.xz

To install a provider from a URL, run:

cnspec providers install --url URL

For URL, substitute the location and name of the provider file. For example:

cnspec providers install --url https://releases.mondoo.com/providers/os/9.0.7/os_9.0.7_linux_arm.tar.xz

Manually update providers

To update to the latest version of all installed providers, run:

cnspec providers update

To update to the latest version of a specific provider, run:

cnspec providers update NAME

For NAME, substitute the name of the provider (as shown in the table above). For example:

cnspec providers update vsphere

Remove providers

To remove a provider, run:

cnspec providers remove NAME

For NAME, substitute the name of the provider you want to uninstall. For example:

cnspec providers remove terraform